How to build a strong DevSecOps culture: 5 tips

How to build a strong DevSecOps culture: 5 tips

The most secure organizations treat security as a culture, not a step. Here’s how to nurture a DevSecOps culture of your own – and use metrics to gauge success

254 readers like this
CVE explained

4. Make the “sec” in security silent

“The key to a good DevSecOps culture is to remove as much friction as possible from processes,” Schmitt of Aporeto says. “I like to think that the ideal way to think about integrating security into DevSecOps is to make ‘Sec’ silent.”

To reduce friction, or make security “silent,” embrace automation in your security processes and tools.

That’s not necessarily to be taken literally; security should have a seat at the table and a voice, of course. Rather, this is where the technical pieces of your security posture come into play. For Schmitt, reducing friction, or making security “silent,” ideally means embracing automation in your security processes and tools.

“The ultimate incentive is enabling DevOps teams to implement security automatically as part of their everyday processes,” Schmitt says. He points to integrating security controls directly into the CI/CD pipeline and development tools as an example. 
You’ve got good options at your disposal, including plenty of open source platforms.

“From a technical perspective, a good place to start is to make sure each team is making use of available open source tools to perform security-related tasks,” says Cheslock at Threat Stack. “Configuration management tools have made the integration of operations and security a much easier proposition.”

5. Implement shared goals and KPIs

A strong DevSecOps culture that your team really buys into also depends upon eliminating conflicting performance incentives across different roles on the same team. A classic conflict in this category would be developers who are measured almost entirely by how quick and frequently they ship code, and security pros who are tasked with limiting vulnerabilities in production. One wants to move as fast as possible; the other is essentially motivated to slow everything down.

DevSecOps should be, in part, about getting people on the same page, working toward common goals – with shared responsibilities and metrics.

“It’s all about shared goals,” Cheslock says. “Give both DevOps and security teams a shared framework to work against. The [whole] team needs to understand that it’s now up to them to own security the way they once were expected to own user experience, reliability, and performance.”

Jerbi shares several key performance indicators as examples for measuring your DevSecOps efforts. Everyone should share in the responsibility for these measurements, not just the security team:

  • Number of app security issues discovered in production: You want this number, obviously, to decrease. “Issues discovered in production are issues missed during development, so this number should be minimized,” Jerbi says,

  • Percentage of deployments stopped/delayed due to failing security tests: “Again, ideally such issues should be resolved before deployment.”

  • Time to fix security issues: This is a longer-haul measurement that should decrease over time; it should be one of the rewards of a healthy DevSecOps culture, in that it reduces that effort and pain involved in resolving security issues when they do occur. “Hopefully, issues that are discovered pre-integration are easier and faster to fix so this is also a reflection of how well the team is performing,” Jerbi says.

If you’re just starting out, remember that improved security isn’t a check-off in a healthy DevSecOps culture, nor is improved security going to happen overnight. But shorter-term wins or milestones will help build and reinforce a healthy DevSecOps culture.

“Begin by tackling some low-hanging fruit to build trust,” Cheslock advises. “Identify some basic improvements in security hygiene that you’d like to see from the team – maybe password security or encryption – then build upon that. Each successful initiative gets security further ingrained in the culture of the enterprise.”

Want more wisdom like this, IT leaders? Sign up for our weekly email newsletter. 


7 New CIO Rules of Road

CIOs: We welcome you to join the conversation

Related Topics

Submitted By Kevin Casey
May 29, 2020

When migrating apps to Kubernetes, watch out for the roots of common problems. Consider these five issues and help your team avoid them.

Submitted By Brian Ahearne
May 29, 2020

Look for three red flags that indicate your change management methods aren't working – then use transparency to improve results.

Submitted By Curt Carver
May 29, 2020

Curt Carver, CIO of the University of Alabama at Birmingham, shares how his IT organization is using the disruption caused by the COVID-19 pandemic to speed up innovation 


Email Capture

Keep up with the latest thoughts, strategies, and insights from CIOs & IT leaders.